Organizational Characteristics Influencing SME Information Security Maturity

In the current business environment, many organizations use popular standards such as the ISO 27000x series, COBIT and related frameworks to protect themselves against security incidents. However, these standards and frameworks are overly complicated for Small to Medium sized Enterprises, leaving these organizations with no easy to understand toolkit to address their security needs. This research builds upon the recent ISFAM maturity model for SME information security as a cornerstone in the development of an assessment tool for tailor-made, fast, and easy-to-use information security advice for SMEs. By performing an extensive literature review and evaluating the results with security experts, we propose the Characterizing Organizations’ Information Security for SMEs (CHOISS) model to relate measurable organizational characteristics in four categories through forty-seven parameters to help SMEs distinguish and prioritize which risks to mitigate.